You need to set up the Spring Security Kerberos extension- this is the only out of the box way to do what you're describing in Spring Security 3. This supports SPNEGO negotiation, but requires some amount of setup on the server (and knowledge of how SPNEGO and Kerberos works).

您需要设置Spring Security Kerberos 扩展- 这是执行您在 Spring Security 3 中描述的唯一开箱即用的方式。这支持 SPNEGO 协商，但需要在服务器上进行一些设置（以及了解SPNEGO 和 Kerberos 的工作原理）。

There's not much documentation - but Mike's sample applications that he ships with 1.0M2 are great, and cover most of the common scenarios, including automated SPNEGO authentication.

没有太多文档 - 但 Mike 随 1.0M2 提供的示例应用程序很棒，涵盖了大多数常见场景，包括自动 SPNEGO 身份验证。

The key thing for SPNEGO is to set up a custom AuthenticationEntryPoint- you'll need to do this with a custom spring bean as follows:

SPNEGO 的关键是设置自定义AuthenticationEntryPoint- 您需要使用自定义 spring bean 执行此操作，如下所示：

<bean id="kerbEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />

<bean id="kerbAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

... there are more beans that'll be required besides these (again, refer to the samples w/the Kerberos extension). Post back if you get further along with Spring Security or if you want exact details (since there are a number of beans / config bits involved, some knowledge of your configuration would be helpful, such as whether you are using the <http>namespace style or not).

...除此之外，还需要更多的 bean（再次参考带有 Kerberos 扩展的示例）。如果您对 Spring Security 有进一步的了解，或者如果您想要确切的详细信息，请回帖（由于涉及许多 bean/配置位，因此您对配置的一些了解会有所帮助，例如您是否正在使用<http>命名空间样式） .

Other than this option, you would have to set up a similar type of SPNEGO auth (such as using WAFFLE, as you suggest) - other SO questionscover this pretty well.

除了此选项，您还必须设置类似类型的 SPNEGO 身份验证（例如使用 WAFFLE，正如您所建议的） -其他 SO 问题很好地涵盖了这一点。

Finally, you could possibly front Tomcat with another web server which supports SPNEGO or NTLM better, such as Microsoft IIS or Apache Web Server with mod_spnego.

最后，您可以将 Tomcat置于另一个更好地支持 SPNEGO 或 NTLM 的 Web 服务器，例如 Microsoft IIS 或带有mod_spnego 的Apache Web 服务器。

Hopefully one of these ideas would work for you!

希望这些想法之一对你有用！

What browser are your users using? If IE; there is a simple solution:

您的用户使用什么浏览器？如果 IE; 有一个简单的解决方案：

<html>
<script type="text/javascript">
var WinNetwork = new  ActiveXObject("WScript.Network");
alert(WinNetwork.UserName);
</script>
</html>

The latest way for Windows to do it is SPNEGO. To make it work fully you need you server to have an account in AD, and communicate with Kerberos. Then Spring Security, I was told, supports this.

Windows 执行此操作的最新方法是SPNEGO。为了使其完全工作，您需要您的服务器在 AD 中拥有一个帐户，并与 Kerberos 进行通信。有人告诉我，Spring Security 支持这一点。

Now, not always you need to authorize users. Sometimes (e.g. for stats reasons) it's enough to get the AD id of the user. When I was playing with SPNEGO, the binary data that was passed from browser were including the user id in clear text. It can be extract from there, but cannot be trusted of course.

现在，您并不总是需要授权用户。有时（例如出于统计原因）获取用户的 AD id 就足够了。当我玩 SPNEGO 时，从浏览器传递的二进制数据包含明文形式的用户 ID。它可以从那里提取，但当然不能被信任。

NTLM is outdated, considered less secure, and largely rolled out from the environments.

NTLM 已经过时，被认为不太安全，并且主要从环境中推出。

If you are using Tomcat, then use WAFFLE.

如果您使用的是 Tomcat，请使用WAFFLE。

I bet you can put Apache web server in front of tomcat so apache can authenticate using NTLMor Kerberos. Then you can use rewrite rules to sent requests to tomcat with username in the plain. This is just an idea, I have not implemented this myself. However we are using Apache Kerberos authentication in our intranet. My suggestion is not to use NTLM, it's outdated and flaky.

我敢打赌，您可以将 Apache Web 服务器放在 tomcat 的前面，以便 apache 可以使用NTLM或Kerberos进行身份验证。然后您可以使用重写规则将请求发送到带有普通用户名的 tomcat。这只是一个想法，我自己没有实现。但是，我们在内部网中使用 Apache Kerberos 身份验证。我的建议是不要使用 NTLM，它已经过时且不稳定。